Merge pull request #2 from google/master

update

.github/workflows/ci.yml

@@ -16,24 +16,30 @@ jobs:
     permissions:
       actions: write  # for styfle/cancel-workflow-action to cancel/stop running workflows
       contents: read  # for actions/checkout to fetch code
-    name: "${{ matrix.root-pom }} on JDK ${{ matrix.java }}"
+    name: "${{ matrix.root-pom }} on JDK ${{ matrix.java }} on ${{ matrix.os }}"
     strategy:
       matrix:
-        java: [ 8, 11 ]
+        os: [ ubuntu-latest ]
+        java: [ 8, 11, 17 ]
         root-pom: [ 'pom.xml', 'android/pom.xml' ]
-    runs-on: ubuntu-latest
+        include:
+          - os: windows-latest
+            java: 17
+            root-pom: pom.xml
+    runs-on: ${{ matrix.os }}
     env:
       ROOT_POM: ${{ matrix.root-pom }}
     steps:
       # Cancel any previous runs for the same branch that are still running.
       - name: 'Cancel previous runs'
-        uses: styfle/cancel-workflow-action@0.10.0
+        uses: styfle/cancel-workflow-action@b173b6ec0100793626c2d9e6b90435061f4fc3e5
         with:
           access_token: ${{ github.token }}
       - name: 'Check out repository'
-        uses: actions/checkout@v3
+        uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9
       - name: 'Set up JDK ${{ matrix.java }}'
-        uses: actions/setup-java@v3.4.1
+        uses: actions/setup-java@5ffc13f4174014e2d4d4572b3d74c3fa61aeb2c2
+
         with:
           java-version: ${{ matrix.java }}
           distribution: 'zulu'
@@ -49,6 +55,10 @@ jobs:
         if: ${{ failure() }}
         shell: bash
         run: ./util/print_surefire_reports.sh
+      - name: 'Integration Test'
+        if: matrix.java == 11
+        shell: bash
+        run: util/gradle_integration_tests.sh
 
   publish_snapshot:
     name: 'Publish snapshot'
@@ -57,9 +67,10 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: 'Check out repository'
-        uses: actions/checkout@v3
+        uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9
       - name: 'Set up JDK 11'
-        uses: actions/setup-java@v3.4.1
+        uses: actions/setup-java@5ffc13f4174014e2d4d4572b3d74c3fa61aeb2c2
+
         with:
           java-version: 11
           distribution: 'zulu'
@@ -82,9 +93,10 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: 'Check out repository'
-        uses: actions/checkout@v3
+        uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9
       - name: 'Set up JDK 11'
-        uses: actions/setup-java@v3.4.1
+        uses: actions/setup-java@5ffc13f4174014e2d4d4572b3d74c3fa61aeb2c2
+
         with:
           java-version: 11
           distribution: 'zulu'

.github/workflows/gradle-wrapper-validation.yml

@@ -0,0 +1,13 @@
+name: "Validate Gradle Wrapper"
+on: [push, pull_request]
+
+permissions:
+  contents: read
+
+jobs:
+  validation:
+    name: "Validation"
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9
+      - uses: gradle/wrapper-validation-action@8d49e559aae34d3e0eb16cde532684bc9702762b

.github/workflows/scorecard.yml

@@ -0,0 +1,72 @@
+# This workflow uses actions that are not certified by GitHub. They are provided
+# by a third-party and are governed by separate terms of service, privacy
+# policy, and support documentation.
+
+name: Scorecard supply-chain security
+on:
+  # For Branch-Protection check. Only the default branch is supported. See
+  # https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection
+  branch_protection_rule:
+  # To guarantee Maintained check is occasionally updated. See
+  # https://github.com/ossf/scorecard/blob/main/docs/checks.md#maintained
+  schedule:
+    - cron: '45 9 * * 0'
+  push:
+    branches: [ "master" ]
+
+# Declare default permissions as read only.
+permissions: read-all
+
+jobs:
+  analysis:
+    name: Scorecard analysis
+    runs-on: ubuntu-latest
+    permissions:
+      # Needed to upload the results to code-scanning dashboard.
+      security-events: write
+      # Needed to publish results and get a badge (see publish_results below).
+      id-token: write
+      # Uncomment the permissions below if installing in a private repository.
+      # contents: read
+      # actions: read
+
+    steps:
+      - name: "Checkout code"
+        uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
+        with:
+          persist-credentials: false
+
+      - name: "Run analysis"
+        uses: ossf/scorecard-action@80e868c13c90f172d68d1f4501dee99e2479f7af # v2.1.3
+        with:
+          results_file: results.sarif
+          results_format: sarif
+          # (Optional) "write" PAT token. Uncomment the `repo_token` line below if:
+          # - you want to enable the Branch-Protection check on a *public* repository, or
+          # - you are installing Scorecard on a *private* repository
+          # To create the PAT, follow the steps in https://github.com/ossf/scorecard-action#authentication-with-pat.
+          # repo_token: ${{ secrets.SCORECARD_TOKEN }}
+
+          # Public repositories:
+          #   - Publish results to OpenSSF REST API for easy access by consumers
+          #   - Allows the repository to include the Scorecard badge.
+          #   - See https://github.com/ossf/scorecard-action#publishing-results.
+          # For private repositories:
+          #   - `publish_results` will always be set to `false`, regardless
+          #     of the value entered here.
+          publish_results: true
+
+      # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF
+      # format to the repository Actions tab.
+      - name: "Upload artifact"
+        uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2
+        with:
+          name: SARIF file
+          path: results.sarif
+          retention-days: 5
+
+      # Upload the results to GitHub's code scanning dashboard.
+      - name: "Upload to code-scanning"
+        uses: github/codeql-action/upload-sarif@f6e388ebf0efc915c6c5b165b019ee61a6746a38 # v2.20.1
+        with:
+          sarif_file: results.sarif

README.md

@@ -2,10 +2,11 @@
 
 [![Latest release](https://img.shields.io/github/release/google/guava.svg)](https://github.com/google/guava/releases/latest)
 [![Build Status](https://github.com/google/guava/workflows/CI/badge.svg?branch=master)](https://github.com/google/guava/actions)
+[![OpenSSF Best Practices](https://bestpractices.coreinfrastructure.org/projects/7197/badge)](https://bestpractices.coreinfrastructure.org/projects/7197)
 
-Guava is a set of core Java libraries from Google that includes new collection types
-(such as multimap and multiset), immutable collections, a graph library, and
-utilities for concurrency, I/O, hashing, caching, primitives, strings, and more! It
+Guava is a set of core Java libraries from Google that includes new collection
+types (such as multimap and multiset), immutable collections, a graph library,
+and utilities for concurrency, I/O, hashing, primitives, strings, and more! It
 is widely used on most Java projects within Google, and widely used by many
 other companies as well.
 
@@ -22,8 +23,8 @@ Guava comes in two flavors:
 Guava's Maven group ID is `com.google.guava`, and its artifact ID is `guava`.
 Guava provides two different "flavors": one for use on a (Java 8+) JRE and one
 for use on Android or by any library that wants to be compatible with Android.
-These flavors are specified in the Maven version field as either `31.1-jre` or
-`31.1-android`. For more about depending on Guava, see
+These flavors are specified in the Maven version field as either `32.1.1-jre` or
+`32.1.1-android`. For more about depending on Guava, see
 [using Guava in your build].
 
 To add a dependency on Guava using Maven, use the following:
@@ -32,9 +33,9 @@ To add a dependency on Guava using Maven, use the following:
 <dependency>
   <groupId>com.google.guava</groupId>
   <artifactId>guava</artifactId>
-  <version>31.1-jre</version>
+  <version>32.1.1-jre</version>
   <!-- or, for Android: -->
-  <version>31.1-android</version>
+  <version>32.1.1-android</version>
 </dependency>
 ```
 
@@ -45,16 +46,16 @@ dependencies {
   // Pick one:
 
   // 1. Use Guava in your implementation only:
-  implementation("com.google.guava:guava:31.1-jre")
+  implementation("com.google.guava:guava:32.1.1-jre")
 
   // 2. Use Guava types in your public API:
-  api("com.google.guava:guava:31.1-jre")
+  api("com.google.guava:guava:32.1.1-jre")
 
   // 3. Android - Use Guava in your implementation only:
-  implementation("com.google.guava:guava:31.1-android")
+  implementation("com.google.guava:guava:32.1.1-android")
 
   // 4. Android - Use Guava types in your public API:
-  api("com.google.guava:guava:31.1-android")
+  api("com.google.guava:guava:32.1.1-android")
 }
 ```
 
@@ -113,10 +114,11 @@ flavor.
 5.  Our classes are not designed to protect against a malicious caller. You
     should not use them for communication between trusted and untrusted code.
 
-6.  For the mainline flavor, we test the libraries using only OpenJDK 8 and
-    OpenJDK 11 on Linux. Some features, especially in `com.google.common.io`,
-    may not work correctly in other environments. For the Android flavor, our
-    unit tests also run on API level 15 (Ice Cream Sandwich).
+6.  For the mainline flavor, we test the libraries using OpenJDK 8, 11, and 17
+    on Linux, with some additional testing on newer JDKs and on Windows. Some
+    features, especially in `com.google.common.io`, may not work correctly in
+    non-Linux environments. For the Android flavor, our unit tests also run on
+    API level 15 (Ice Cream Sandwich).
 
 [guava-snapshot-api-docs]: https://guava.dev/releases/snapshot-jre/api/docs/
 [guava-snapshot-api-diffs]: https://guava.dev/releases/snapshot-jre/api/diffs/

android/guava-testlib/src/com/google/common/collect/testing/AbstractCollectionTester.java

@@ -17,6 +17,7 @@
 package com.google.common.collect.testing;
 
 import com.google.common.annotations.GwtCompatible;
+import com.google.errorprone.annotations.CanIgnoreReturnValue;
 import java.util.Collection;
 import org.junit.Ignore;
 
@@ -41,6 +42,7 @@ protected Collection<E> actualContents() {
 
   // TODO: dispose of this once collection is encapsulated.
   @Override
+  @CanIgnoreReturnValue
   protected Collection<E> resetContainer(Collection<E> newContents) {
     collection = super.resetContainer(newContents);
     return collection;

android/guava-testlib/src/com/google/common/collect/testing/AbstractContainerTester.java

@@ -17,6 +17,7 @@
 package com.google.common.collect.testing;
 
 import com.google.common.annotations.GwtCompatible;
+import com.google.errorprone.annotations.CanIgnoreReturnValue;
 import com.google.errorprone.annotations.OverridingMethodsMustInvokeSuper;
 import java.util.ArrayList;
 import java.util.Arrays;
@@ -61,6 +62,7 @@ public void setUp() throws Exception {
    * @see #resetContainer(Object) resetContainer(C)
    * @return the new container instance.
    */
+  @CanIgnoreReturnValue
   protected C resetContainer() {
     return resetContainer(getSubjectGenerator().createTestSubject());
   }
@@ -75,6 +77,7 @@ protected C resetContainer() {
    * @return the new container instance
    * @param newValue the new container instance
    */
+  @CanIgnoreReturnValue
   protected C resetContainer(C newValue) {
     container = newValue;
     return container;
@@ -207,7 +210,7 @@ protected Collection<E> getSampleElements() {
 
   /**
    * Returns the {@linkplain #getSampleElements() sample elements} as ordered by {@link
-   * TestContainerGenerator#order(List)}. Tests should used this method only if they declare
+   * TestContainerGenerator#order(List)}. Tests should use this method only if they declare
    * requirement {@link com.google.common.collect.testing.features.CollectionFeature#KNOWN_ORDER}.
    */
   protected List<E> getOrderedElements() {

android/guava-testlib/src/com/google/common/collect/testing/AbstractIteratorTester.java

@@ -31,6 +31,7 @@
 import java.util.Set;
 import java.util.Stack;
 import junit.framework.AssertionFailedError;
+import org.checkerframework.checker.nullness.qual.Nullable;
 
 /**
  * Most of the logic for {@link IteratorTester} and {@link ListIteratorTester}.
@@ -146,9 +147,9 @@ protected final class MultiExceptionListIterator implements ListIterator<E> {
      * {@link #previousElements} if the reverse is true, or -- overriding both of these -- {@code
      * null} if {@code remove()} or {@code add()} has been called more recently than either. We use
      * this to determine which stack to pop from on a call to {@code remove()} (or to pop from and
-     * push to on a call to {@code set()}.
+     * push to on a call to {@code set()}).
      */
-    Stack<E> stackWithLastReturnedElementAtTop = null;
+    @Nullable Stack<E> stackWithLastReturnedElementAtTop = null;
 
     MultiExceptionListIterator(List<E> expectedElements) {
       Helpers.addAll(nextElements, Helpers.reverse(expectedElements));
@@ -363,7 +364,7 @@ private static List<Object> subListCopy(Object[] source, int size) {
   }
 
   private interface IteratorOperation {
-    Object execute(Iterator<?> iterator);
+    @Nullable Object execute(Iterator<?> iterator);
   }
 
   /**
@@ -449,7 +450,7 @@ private <T extends Iterator<E>> void internalExecuteAndCompare(
   private static final IteratorOperation REMOVE_METHOD =
       new IteratorOperation() {
         @Override
-        public Object execute(Iterator<?> iterator) {
+        public @Nullable Object execute(Iterator<?> iterator) {
           iterator.remove();
           return null;
         }
@@ -475,7 +476,7 @@ private final IteratorOperation newAddMethod() {
     final Object toInsert = elementsToInsert.next();
     return new IteratorOperation() {
       @Override
-      public Object execute(Iterator<?> iterator) {
+      public @Nullable Object execute(Iterator<?> iterator) {
         @SuppressWarnings("unchecked")
         ListIterator<Object> rawIterator = (ListIterator<Object>) iterator;
         rawIterator.add(toInsert);
@@ -488,7 +489,7 @@ private final IteratorOperation newSetMethod() {
     final E toInsert = elementsToInsert.next();
     return new IteratorOperation() {
       @Override
-      public Object execute(Iterator<?> iterator) {
+      public @Nullable Object execute(Iterator<?> iterator) {
         @SuppressWarnings("unchecked")
         ListIterator<E> li = (ListIterator<E>) iterator;
         li.set(toInsert);

android/guava-testlib/src/com/google/common/collect/testing/AbstractMapTester.java

@@ -23,6 +23,7 @@
 import java.util.ListIterator;
 import java.util.Map;
 import java.util.Map.Entry;
+import org.checkerframework.checker.nullness.qual.Nullable;
 import org.junit.Ignore;
 
 /**
@@ -167,7 +168,7 @@ protected void expectMissing(Entry<K, V>... entries) {
     }
   }
 
-  private static boolean equal(Object a, Object b) {
+  private static boolean equal(@Nullable Object a, @Nullable Object b) {
     return a == b || (a != null && a.equals(b));
   }
 

android/guava-testlib/src/com/google/common/collect/testing/AbstractTester.java

@@ -18,6 +18,7 @@
 
 import com.google.common.annotations.GwtCompatible;
 import junit.framework.TestCase;
+import org.checkerframework.checker.nullness.qual.Nullable;
 
 /**
  * This abstract base class for testers allows the framework to inject needed information after
@@ -34,8 +35,8 @@
 public class AbstractTester<G> extends TestCase {
   private G subjectGenerator;
   private String suiteName;
-  private Runnable setUp;
-  private Runnable tearDown;
+  private @Nullable Runnable setUp;
+  private @Nullable Runnable tearDown;
 
   // public so that it can be referenced in generated GWT tests.
   @Override
@@ -54,7 +55,8 @@ public void tearDown() throws Exception {
   }
 
   // public so that it can be referenced in generated GWT tests.
-  public final void init(G subjectGenerator, String suiteName, Runnable setUp, Runnable tearDown) {
+  public final void init(
+      G subjectGenerator, String suiteName, @Nullable Runnable setUp, @Nullable Runnable tearDown) {
     this.subjectGenerator = subjectGenerator;
     this.suiteName = suiteName;
     this.setUp = setUp;